1000v TACACS config

Bruce Summers · ‎05-25-2010

So, I went through the configuration guide for AAA for the nexus, but cannot get it working…it’s a little different than the catalyst…but some things are the same…so, my config went like this:

tacacs+ enable

tacacs-server key 7 <key> timeout 30

tacacs-server host 10.10.10.10 key 7 <key>

tacacs-server host 10.10.10.11 key 7 <key>

aaa group server tacacs+ DC1_TACACS

server 10.10.10.10

server 10.10.10.11

aaa authentication login default group DC1_TACACS

The switch is added in my TACACS server, but I’m seeing no hits to the that server from the switch…on the catalyst, you can specify source IP from which the switch will use to connect to tacacs (ip tacacs source etc…) I have not found such a command (yet) on the nexus…Nor is there a “vty” to enable authentication on…

Anybody have a thought on it? other than the obvious, I don’t have it configured right…lol…

thanks in advance.

Bruce

Ganesh Hariharan · ‎05-26-2010

So, I went through the configuration guide for AAA for the nexus, but cannot get it working…it’s a little different than the catalyst…but some things are the same…so, my config went like this:

tacacs+ enable

tacacs-server key 7 timeout 30

tacacs-server host 10.10.10.10 key 7

tacacs-server host 10.10.10.11 key 7

aaa group server tacacs+ DC1_TACACS

server 10.10.10.10

server 10.10.10.11

aaa authentication login default group DC1_TACACS

The switch is added in my TACACS server, but I’m seeing no hits to the that server from the switch…on the catalyst, you can specify source IP from which the switch will use to connect to tacacs (ip tacacs source etc…) I have not found such a command (yet) on the nexus…Nor is there a “vty” to enable authentication on…

Anybody have a thought on it? other than the obvious, I don’t have it configured right…lol…

thanks in advance.

Bruce

Hi Bruce,

If you have configured the TACAS configuration just configure the ip address of 1000v which is near to connect the TACAS server and check out the TACS port are opened between switch and server.

Hope to help !!

Ganesh.H

Remember to rate the helpful post

Bruce Summers · ‎05-26-2010

Ganesh,

Thanks for the reply...However, I'm not clear what you refer to

"configure the ip address of 1000v which is near to connect the TACAS

server" IP is already configured on the switch mgmt 0 interface.

I am sure port 49 is open between switch and tacacs server, tested it...

Ganesh Hariharan · ‎05-26-2010

Ganesh,

Thanks for the reply...However, I'm not clear what you refer to

"configure the ip address of 1000v which is near to connect the TACAS

server" IP is already configured on the switch mgmt 0 interface.

I am sure port 49 is open between switch and tacacs server, tested it...

How many interface are configured in 1000v and i suppose you have configured the mgmt 0 interface ip in TACAS server.if possible can you provide the schematic view of ip configured in 1000v and TACAS server ip.

Is TACAS is cisco ACS ?

Ganesh.H

nellson · ‎07-29-2010

Did you ever get a response? I did JUST as you did, and NADA in my CSACS logs.

The tacacs servers appear up

sho tacacs-server
timeout value:5
deadtime value:0
total number of servers:2

following TACACS+ servers are configured:
        172.21.1.221:
                available on port:49
                TACACS+ shared secret:********
        172.21.174.221:
                available on port:49
                TACACS+ shared secret:********

But with the same config you have, I get only local auth. And no options for Authorization?? What's up with that?

Nick

constantin.blanariu · ‎11-17-2010

Hey,

I'm having the same problem. Looking in the configuration guide I found this:

Prerequisites for AAA:

At least one TACACS+ server is IP reachable
The SVS is configured as an AAA server client
A shared secret key is configured on the SVS and the remote AAA server.

I have no idea what the second bullet means.. configuring SVS as an AAA server client.

Does anyone has any thoughts on this ?

Thank you,

Constantin

Dan-Ciprian Cicioiu · ‎12-29-2010

Hi ,

can you paste a : sh run ip all

Dan

constantin.blanariu · ‎12-29-2010

Hi,

Here it is:

show run ip all

version 4.0(4) SV1 (3a)

vrf context management

ip route 0.0.0.0/0 1.1.1.1

ip packet policy statistics enable

no ip source-route

interface mgmt0

ip address 1.1.1.2/24

ip redirects

ip port-unreachable

Thank you,

Constantin

Dan-Ciprian Cicioiu · ‎12-29-2010

Salut Constantin

under the aaa group server , set "use-vrf management".

Dan

Dan-Ciprian Cicioiu · ‎12-30-2010

Do you have a feedback ?

Dan

constantin.blanariu · ‎12-30-2010

Hi Dan,

I made the modifications today and it works!

Thank you very much,

Constantin

CARL LINDAHL · ‎12-30-2010

If and when you setup the syslog export you will run into something similiar - I had to configure a loopback address to get the syslog export to work correctly. I have been through your same experience with the TACACS setup on the 1000v.

Dan-Ciprian Cicioiu · ‎12-31-2010

Crl ,

The same as in the aaa setup , when you configure logging you should set also the vrf :

logging server $Logging-server $logging-level use-vrf management

replace $logging-server and $logging-level with the ip/host of the logging server repectively the logging level wanted.

Dan

CARL LINDAHL · ‎12-31-2010

Dan,

I agree that is how we have configured but were not recieving any syslog messages on our external boxes until we created a loopback interface. We are running " 4.0(4)SV1(3a)" of the 1000v. Very interesting indeed.

scott.hammond · ‎01-07-2011

im struggling with the same thing, but specifying the vrf did not fix it. I never see the 1000v even attempt to hit ACS, but yet the debug in the 1000v shows a failure that I cant account for.

2011 Jan 7 10:50:38.599747 aaa: is_aaa_resp_status_success is FALSE
2011 Jan 7 10:50:38.599760 aaa: protocol TACACS failed with server group tacacs
2011 Jan 7 10:50:38.599771 aaa: try_next_aaa_method
2011 Jan 7 10:50:38.599784 aaa: aaa_method_config: GET request for authentication login default
2011 Jan 7 10:50:38.599796 aaa: aaa_method_config: GET methods group tacacs
2011 Jan 7 10:50:38.599808 aaa: got back the return value of aaa method configuration operation:success
2011 Jan 7 10:50:38.599819 aaa: total methods configured is 1, current index to be tried is 1
2011 Jan 7 10:50:38.599831 aaa: All Configured methods failed for login:default
2011 Jan 7 10:50:38.599842 aaa: try_fallback_method
2011 Jan 7 10:50:38.599852 aaa: handle_req_using_method
2011 Jan 7 10:50:38.599863 aaa: local_method_handler
2011 Jan 7 10:50:38.599873 aaa: LOCAL Authentication req
2011 Jan 7 10:50:38.599883 aaa: AAA_AUTHEN_TYPE_PAP

my config

tacacs-server key 7 "vqtjjb"
tacacs-server timeout 10
tacacs-server host 10.60.90.100 key 7 "vqtjjb"
tacacs-server host 10.61.90.100 key 7 "vqtjjb"
aaa group server tacacs+ tacacs
    server 10.60.90.100
    server 10.61.90.100
    use-vrf default (tried default and management with no luck)

aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request